[Xymon] Monitoring that iptables and SELinux are running / enabled

SebA spah at syntec.co.uk
Fri Apr 12 13:56:36 CEST 2013 

Hi Jeremy,
 
Thanks! Those are some great ideas.
 
FYI, the md5 is different for me though:
$ xymondigest md5 /selinux/enforce
md5:c4ca4238a0b923820dcc509a6f75849b
$ cat /selinux/enforce
1[prompt]$
i.e. no carriage return or new line caracters.
 
For iptables the path is different on my system too, and my default is DROP
rather than REJECT:
$ sudo /sbin/iptables-save | grep "^:INPUT DROP" >/dev/null && echo "green:
iptables default is DROP" || echo "red: iptables problem";
green: iptables default is DROP

Presumably I could allow xymon user to run /sbin/iptables-save with sudo
though as I did.  I guess that's a bit trickier...  Oh well, let's have a
go!

Using xymon-client-4.3.10-1 RPM. It's working for me but (if anyone else
wants to use this) YMMV.  I've hacked up some example scripts so they work
in my environment and used your suggestion but coverted it to be sudoers
safe (I hope).

Create xymon-clientIPtablesCheck.sh in /etc/xymon-client/ext (and ensure it
is executable: chmod +x <filename>): 
 
#!/bin/sh
# Written by SebA 12/04/13 with help from articles on the net.

# Test-Mode ?
# TEST=0 => works in cooperation with Xymon agent (default)
# TEST=1 => for testing, results to stdout (run "TEST=1 ./bb-testname.sh" on
cmd-line)
# TEST>1 => for testing, but sending results to Xymon server without
activating script in hobbitlaunch.cfg
TEST=${TEST:-"0"}
if [ "$TEST" -gt "0" ]
then
# You only need to change these if you want to test the script manually.
  BBHOME="/usr/share/xymon-client"
#  . /etc/xymon-client/xymonclient.cfg
# This did not work for me (include is not a valid command), so set the
parts we need:
  XYMONSERVERS="CHANGEME.FOR.TESTING.ONLY"
  PATH="/usr/libexec/xymon-client:/bin:/usr/bin:/sbin:/usr/sbin:/etc"  #
PATH setting for the client scripts.
  BBQUERYCMD=$BB
  [ "$TEST" = "1" ] && BB="echo"
fi

COLUMN=iptables	# Name of the column
COLOR=purple		# By default, there is no report.
MSG="iptables status"  # Not used.

# Do whatever you need to test for something
#sudo /sbin/iptables-save | grep "^:INPUT DROP" >/dev/null
# This would allow xymon user to get potentially sensitive information, so
put this into a new script instead:
sudo /sbin/iptables-check
RETVAL=$?
if [ $RETVAL -eq 0 ]
then
   COLOR=green
   MSG="iptables default is DROP"
else
   COLOR=red
   MSG="iptables problem"
fi

# Tell Xymon about it
$BB $XYMONSERVERS "status $MACHINE.$COLUMN $COLOR `date`

${MSG}
"

exit 0
EOF

Create IPtablesCheck.cfg in /etc/xymon-client/ext:
 
[iptables-check]
   ENVFILE $XYMONCLIENTHOME/etc/xymonclient.cfg
   CMD $XYMONCLIENTHOME/ext/xymon-clientIPtablesCheck.sh
   LOGFILE $XYMONCLIENTHOME/logs/iptables-check.log
   INTERVAL 5m
EOF

Create /sbin/iptables-check with:
#!/bin/sh
/sbin/iptables-save | grep "^:INPUT DROP" >/dev/null
EOF

Check that permissions are suitable:
$ ls -l /sbin/iptables-check
-rwxr-xr-x 1 root root 63 Apr 12 11:08 /sbin/iptables-check

You don't want non-root to be able to modify this file. Everyone can run it,
but it will only work properly for root.

In /etc/sudoers add:
Defaults:xymon !requiretty
After:
Defaults    requiretty

And lower down in an appropriate section add:
xymon   ALL=(root)      NOPASSWD: /sbin/iptables-check



Kind regards, 

SebA


________________________________

	From: Jeremy Laidman [mailto:jlaidman at rebel-it.com.au] 
	Sent: 12 April 2013 02:14
	To: SebA
	Cc: xymon
	Subject: Re: [Xymon] Monitoring that iptables and SELinux are
running / enabled
	
	
	On 11 April 2013 21:46, SebA <spah at syntec.co.uk> wrote:
	

				Is there any code out there to monitor that
		(a) iptables is running (not just set to everything allowed)
		(b) SELinux is enabled

	
	
	For the second one, you can add this to client-local.cfg:

	file:/selinux/enforce:md5

	then in analysis.cfg:
	
	
	FILE /selinux/enforce MD5=cfcd208495d565ef66e7dff9f98764da red
"TEXT=SELinux is not enforcing"

	This will warn if the contents of /selinux/enforce is not zero.
This also warns if the file does not exist (such as when selinux is
disabled).

	You can't really do the same thing with iptables, because you need
to be root to dump the rules.  There's only so much the xymon user can do.
You could check that the ip_tables kernel module is loaded with lsmod, or
you could check a file that a root cron job dumps to every 5 minutes.  You
also might want to be a bit careful that you're not transmitting iptables
rules in-the-clear to the Xymon server.  Perhaps something like this:

	Create /etc/cron.d/dump-iptables with:

	# analyse and report on iptables rules, for xymon to read
	*/5 * * * * root { /usr/bin/iptables-save | grep "^:INPUT REJECT"
>/dev/null && echo "green: iptables default is reject" || echo "red:
iptables problem"; } | logger

	This will put a messages in your syslog, which you can then match
using standard Xymon log monitoring.

	One problem with this technique is that when someone stops the
cronjob, you'll simply stop getting log messages through.  There are ways to
detect or work around this.

	J

More information about the Xymon mailing list